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(54) Computer control data modification system 



(57) A data processing system has an erasable programmable read-only memory (EPROM) 22 for holding firmware, and an 
electrically-erasable programmable read-only memory (EEPROM) 23 for holding patch information specifying modifications 
to be made to the firmware. In operation, code is copied from the EPROM into a random-access memory (RAM) 21 and is 
then patched using the information in the EEPROM. The EEPROM can be accessed by a remote computer, 18, to write 
new patches into it. The EEPROM has separate areas for holding new and trusted patches. In operation, an attempt is 
made to modify the code using the new patches. If this is successful, the new patch area becomes the trusted patch area. 
Otherwise, the system reverts to the existing trusted patches, if any. 21 23 
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At least one drawing originally filed was informal and the print reproduced here is taken from a later filed formal copy. 
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DATA PROCESSING SYSTEM 

Background to the invention 

This invention relates to data processing 
systems. More specifically, the invention is concerned 
with a data processing system including a data processor 
and a read-only memory (ROM) for holding control 
information for the processor. The control information 
may comprise, for example, firmware or other programs 
for controlling the operation of the processor. 

In such a system, it may be necessary from time 
to time to update or correct the control information 
held in the ROM. One way of doing this is physically to 
replace the whole ROM with a new ROM. suitably 
programmed with the updated or corrected version of the 
control information. However, this is expensive and 
inconvenient, especially where a large ROM is involved. 
Also, in order to replace a ROM, it is usually necessary 
for skilled personnel to visit the user's site at which 
the system is located. 

United States Patent No, 4 751 703 proposes a 
method of modifying programs held in a ROM without the 
necessity for physically replacing the ROM. The program 
code is divided into blocks, the first instruction of 
each block being held in a special read/write memory 
(RAM) while the remaining instructions are held in the 
ROM. A block of code can be patched by replacing the 
first instruction of that block by a jump to a 
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replacement block. Thu S/ the program in the ROM can 
effectively be modified by modifying the information 
held in the RAM. 

However, a problem with the above method is 
that xt requires a virtual addressing scheme for 

addressing the code, since the first in^r- • • 

ne rirs t instruction of each 
block xs physically separate from the rest of the 
block. Moreover, the above method only allows the code 
to be modxfied by replacing the code on a block-by-block 
oasis . 

The object of the present invention is to 
provide a „a y of updating or modifying information held 

of th B " " lthOUt ne ° eSSity PhySiCal "Wo—nt 
of the ROM, while avoiding the problems mentioned above 
Summary of the invention 

According- to the invention there is provided a 
data processing system comprising: 

(a) a data processor 

(b) a read-only memory for holding control inform- 
ation for the data processor, 

(c) a read/write random access memory, 

(d) a further memory for holding modification 
information defining modifications to be 
applied to the control information, 

(e) means for copying the control information from 
the read-only memory into the random-access 
memory, and 

(f) means for using the modification information in 
the further memory to modify the copy of the 
control information in the random-access 
memory. 

One data processing system in accordance with the 
present invention will now be described by way of 
example with reference to the accompanying drawincs . 
Brief des cription of the drawing.. 

Figure 1 is a block diagram of a data 
processing system embodying the invention, the system 



including a node support computer (NSC) . 

Figure 2 is a flow chart showing actions 
performed by a remote computer to write patch 
information into the NSC. 

Figure 3 is a flow chart showing operation of 
the NSC when it is powered up or reset. 

Figure 4 is a flow chart showing a ROM- to- RAM 
loader program executed by the NSC, 

Figure 5 is a flow chart showing part of an 
Initial Application program executed by the NSC. 
Description of an embodiment of the invention 

Referring to Figure 1, the data processing 
system comprises a main computer, referred to as a 
processing node 10, and a subsidiary computer referred 
to as a node support computer (NSC) 11. The purpose of 
the NSC is to assist with initial program load of the 
processing node, and to provide various diagnostic and 
monitoring facilities for the processing node. The 
structure of the processing node 10 forms no part of the 
present invention and so will not be described herein. 

The NSC comprises an internal bus 12, which 
interconnects a communications board 13, a processor 
board 14, a ROM board 15, and a miscellaneous board 16. 

The communications board 13 connects the NSC by 
way of a communications link 17 (e.g. a telephone line) 
to a remote computer 18. This allows the remote 
computer to perform diagnostic operations on the system 
and also, as will be described, to load patch 
information into the NSC. 

The processor board 14 includes a conventional 
microprocessor 19, a 16Kbyte programmable read-only 
memory (PROM) 20, and a 1Mbyte dynamic random-access 
memory (RAM) 21. In operation, the microprocessor 
executes programs held either in the PROM 20 or in the 
RAM 21. 

The ROM board 15 comprises a 2Mbyte erasable 
programmable read-only memory (EPR0M) 22 and a 16Kbyte 
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electrically erasable programmable read-only memory 
( EEPROM) 23. The EPROM holds programs (firmware) which 
m operation are loaded into the RAM on the processor 
board, for execution by the processor, as well as 
programs for the processing node 10. The EEPROM holds 
patch information indicating modifications to be made to 
the programs loaded into the RAM from the EPROM. The 
miscellaneous board 26 includes drive circuits- for 
coupling the NSC to the processing node 10. 
EEPROM contents 

The EEPROM contains lSKbytes which are 
addressed as segment number E800, byte offset 0000-7FFF 
(m hexadecimal notation). The contents of the EEPROM 
are as follows:- 

byte offset Contents 
0000-07CF- reserved 
07D0-07FF control area 



0800-2FFF 



reserved 



3000-57FF ^ -l 

£r patch area 1 

5800-7FFF ^ = . , 

patch area 2 

Patch areas 1 and 2 are used to hold patch 
information indicating modifications to be made to the 
programs loaded from the EPROM into the RAM. In 
operation, either of these two patch areas can be 
designated the "trusted" patch area, and is used to hold 
tried and tested patch information. The other of the 
areas is designated the "new" patch area, and is used to 
hold new patch information that has not yet been tried. 

The control area contains information about the 
status of the patch areas as follows :- 

PATCH BASE ROM ID: This indicates the identity of the 

EPROM to which the patches are to be applied. 

PATCH VALIDITY : This i? «f v • 

Anas is set to the hexaaecimal value 

1A 2B 3C 4D if the other items in the control area are 
valid. 

PATCH SELECTOR: This identifies the current "trusted- 
patch area (if any) and also, by implication, identifies 
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the "new" patch area, as follows. If PATCH SECTOR = 0, 
there is no trusted patch information available, and 
patch area 1 is designated the new patch area. If PATCH 
SECTOR = 1, then patch area 1 is the trusted patch area 
and patch area 2 is the new patch area. If PATCH 
SELECTOR = 2 f then patch area 2 is the trusted patch 
area and patch area 1 is the new patch area.- 
PATCH STATUS: This indicates the status pf the new 
patch, if any. If PATCH STATUS = 0, there is no new 
patch. If PATCH STATUS = 1, a new patch is ready to be 
tried. If PATCH STATUS = 2, a new patch is currently 
being tried. If PATCH STATUS - 3, a new patch has 
failed. 

Each of the patch areas consist of a header, 
followed by a number of patch records of variable 
length. Each patch record comprises the following 
fields . 

RECORD LENGTH: this indicates the number of bytes in 
the record, inclusive of this length field. 
RAM SEGMENT ADDRESS and RAM BYTE OFFSET: these two 
fields specify the position within the RAM at which the 
patch data is to be written. 

PATCH DATA: this is the patch data which is to be 
written into the RAM to modify the programs held in the 
RAM. 



of the RAM. 

Using these patch records, a program held in 
the RAM can be modified in two different ways. 



(b) 



(a) 



Each patch record can specify either: 
a modification to an existing byte (or 
contiguous sequence of existing bytes) in 
the RAM, or 

binary data to be written into a reserved area 



(a) 



It can be modified by a straightforward 
byte-f or-byte substitution, specified by one 
or more patch records. 

Alternatively, a patch record can be used to 



(b) 
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insert a new sequence of code in 

area of th . „, „ Mle another patch *- 

"- to punt a Jump instruction to the start 
or the new sequence af 

4 ence, at the appropriate 

location of the existing code. 
Transfer of pa f , h records 

The patch records are generated by the r em n<- 

colter 18. and are held in a patch fUe [ n th at 

computer. When it is desire * 

x& aesired to UDdaf*» «• 

,, nV 17 . ' Dy way of the communications 

link 17, xnto the EEPROM in the NSC. 

The procedure for transferring the Patc h 
records is shown in Figure 2. 
(2-1) First, the remote computer se „ n = . 
*. -guesting the states of 1 ^ ^ 
among other th ings . an indication of he «a t us or If 
BEPHOM. if the eeprom is deemed to have 2 I 
error message is generated, and the attemP ^ r ZlVr" 
the patch records is abandoned. transfer 
(2-2) Assuring that the EEPROM has not failed, the 
remote computer then accesses the HSC ROM VERSION, i . 

he ; sc tdT 6 : °? he EPR0M ™ tiy d ; r 

av,il!« " h " her thSre «" W Patch records 

then wntes these items into the RAM in the HS C 

records b Tl ""^ r ~" the 

records back again, and compares then with the dat. * 

»as written. Xf the comparison fails, an 
generated, suggesting a possible communication ' 

:;::::. ,ie attempt to tr — - -«* 

(2-3, Assuring that the comparison is successful, the 
remote computer now reads the current contents of the 
patch control area from the EEPROM in the NSC, and 
checks whether it is valid. 



(2-4) If the contents of the patch control area are not 
valid, the PATCH SELECTOR field is set to 0 to indicate 
that there is no trusted patch information currently 
available in the EE PROM . The PATCH STATUS field is also 
set to 0 to indicate that there is, as yet, no new patch 
information in the EEPROM. 

(2-5) If, on the other hand, the contents of the patch 
control area are valid, it is assumed that there is 
already some trusted patch information in the patch area 
indicated by the PATCH SELECTOR field. In this case, 
only the PATCH STATUS field is set to 0. 

If, at steps 2-4 or 2-5, any of the writes to 
the control area of the EPROM fails, an error message is 
generated, indicating that the EEPROM has failed, and 
patching is abandoned. 

(2-6) The patch records are now transferred from the RAM 
into the new patch area of the EEPROM, as indicated by 
the PATCH SELECTOR field* Again, if any of the writes 
to the EEPROM fails, an error message is generated and 
patching is abandoned. 

The contents of the new patch area are then 
read back from the EEPROM and compared with the data 
that was written. If the comparison fails, an error 
message is generated, and patching is abandoned. 
(2-7) Assuming that the comparison is successful, the 
PATCH STATUS field of the control area of the EEPROM is 
set to 1 to indicate that new patch information is now 
being tried. 

(2-8) Finally, the whole of the patch control area is 
read back from the EEPROM and compared with the expected 
values. If the comparison fails, an attempt is made to 
set the PATCH VALIDITY field of the EEPROM to 0, an 
error message is output, and patching is abandoned. 
Operation of NSC 

Referring now to Figure 3, this shows the 
operation of the NSC when it is powered up or reset. 
(3-1) The first action on power-up or reset is to run an 
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establishment test program, which is resident in the 
PROM 20 on the processor board. This tests the basic 
facilities of the NSC. 

(3-2) Assuming that the establishment test is 
successful, the NSC then performs a ROM- to- RAM loader 
program, which is also resident in the PROM 20. This 
loads BASE and INITIAL APPLICATION programs from the 

he p rd 0M in 22 th int ;, P the 21 • jt then wiies - e 

held m the EEPROM 23 to the RAM; that is, it modifies 
the Programs in the RAM in accordance with the patch 
information in the EEPROM. 

to th. start of the BASE program, which is „ ow „. la V 
the RAM, nodified by any p„ ttaiM . M , is ^ basio 
operating program of the NSC. 

(3-4) The BASE program calls the INITIAL APPLICATION 
program. This controls loading of firmware from the 
EPROM 22 into the processing node 10. 
ROM-to-RAM loader 

The ROM-to-RAM loader program referred to above 
will now be described in more detail with reference to 
Figure 4. 

(4-1) The first action of the ROM-to-RAM loader is to 
clear the RAM 21 and to test it. 

(4-2) The BASE and INITIAL APPLICATION programs are then 
loaded from the EPROM 22 into the RAM. 

(4-3) The contents of the EEPROM 23 are then copied into 
a reserved area of the RAM. The copy is rea d back three 
times and compared with the contents of the EEPROM, to 
provide a stability check on the contents of the 
EEPROM. Also, the patch control area is checked to 
ensure that the PATCH VALIDITY -field is set, and that 
other items in the control area have valid values 
(4-4) A branch is now made according to the value of the 
PATCH STATUS field of the patch control area. 

If the PATCH STATUS is 0, there is no new patch 
available, and if PATCH STATUS is 3, there is a new 



patch, but it has failed for some reason. In either of 
these cases, the following actions are performed. 
(4-5) If the PATCH SELECTOR field is non-zero, there is 
a trusted patch available, which can be used. 
(4-6) The copy of the trusted patch in the RAM is 
checked to ensure that it is valid. 
(4-7) If the patch is valid, it is applied to the 
programs previously loaded into the RAM. This involves 
reading each patch record in turn from the patch area, 
and writing the patch data in that record into the RAM 
at consecutive locations, starting from the byte 
specified by the RAM SEGMENT ADDRESS and RAM BYTE OFFSET . 
(4-8) If it was found at step 4-7 above that the patch 
was invalid, an error is logged and the attempt to apply 
the patches is abandoned. 

(4-9) If the patch* status has been changed by the 

ROM- to- RAM loader, the EEPROM is accessed and the PATCH 

STATUS field is updated accordingly. 

(4-10) If it was found at step 4-4 above that PATCH 
STATUS = 2, this indicates that a new patch has been 
tried, but the programs as modified by the new patch 
failed to run successfully. In this case, the PATCH 
STATUS is changed to 3 to indicate that the new patch 
has failed. The procedure then continues from step 4-5 
as described above. 

(4-11) If it was found at step 4-4 that PATCH STATUS * 
1, this indicates that a new patch is ready to be 
tried. The copy of the new patch in the RAM is checked 
to ensure that it is valid. 

(4-12) If the new patch is valid, then PATCH STATUS is 
set to 2 to indicate that a new patch is now being 
tried. The procedure then continues from step 4-7 as 
described above, using the designated new patch area to 
patch the RAM, If, on the other hand, the new patch is 
found to be invalid, the procedure continues from step 
4-10 as described above. 



n 
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INITIAL APPLICATION . 



As described above, after the ROM- to- RAM loader 
program, the BASE and INITIAL APPLICATION programs are 
run. 



At bom convenient point in the execution of 
the INITIAL APP LI c M I 0H prograB . the aotlons shown 
Figure 5 are performed. 

(5-1) A test is made to determine whether or not the 
program has been patched. 

(5-2) if so , the patch STATUS field is examined. 

(5-3) „ PATCH STATUS = 2, this indicates that a new 
patch xs currently being tried, since the INITIAL 
APPLICATION program is now running successfully 
new patch in place, it is assumed that the new patch 

n! 2 V S ^ ' ^ indiCate ^ tMs new is 

now the trusted patch, and the PATCH STATUS is set to 0 

to indicate that there is now no new patch. The program 

then continues running normally. 

If either of the write accesses to the EEPROM 
f-ls, the NSC is reset, so that it will restart with 
the establishment test as shown in Figure 3. 
Conclusion 

In summary, it can be seen that the above 

EEPRoT S TT PatCh inf ° rmati0n t0 be ~"t.n into the 
EEPROM, and then to be applied to the programs the next 
time the NSC is reset or powered up. 

If the newly applied patch information corrupts 
the BASE or INITIAL APPLICATION programs to such an 
extent that the latter fails to get establish, then afc 
the next reset or power-up the new patch will be 
designated as "failed". The system will therefore 
revert to any existing trusted patches or, if there are 
no trusted patched, will proceed without any patches 
being applied. 
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CLAIMS 

1. A data processing system comprising :- 

(a) a data processor, 

(b) a read-only memory for holding control 
information for the data processor, 

(c) a read/write random-access memory, 

(d) a further memory for holding modification 
information defining modifications to be 
applied to the control information, 

(e) means for copying the control information from 
the read-only memory into the random-access 
memory, and 

(f) means for using the modification information in 
the further memory to modify the copy of the 
control information in the random-access memory. 

2. A system- according to Claim 1 wherein the 
further memory is an electrically erasable programmable 
read-only memory (EEPROM) . 

3. A system according to Claim 1 or 2 wherein said 
further memory is accessible by a remote computer to 
allow the remote computer to write modification 
information into the further memory. 

4. A system according to any preceding claim 
wherein said control information comprises a program for 
controlling the operation of the data processor* 

5. A data processing system according to any 
preceding claim wherein said further memory comprises at 
least two areas, one of said areas being designated as a 
trusted area for holding modification information that 
has been successfully tried, and another of said areas 
being designated as a new area for holding modification 
information that has not yet been tried. 

6. A data processing system substantially as 
hereinbefore described with reference to the 
accompanying drawings. 

7. A method of operating a data processing system 
comprising : - 
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(a) 



(b) 



storing control information in a read-only 
memory, J 



storing modif ication information in a further 
memory, 

(c) copying the control information from the 

read-only memory into a read/write 
random-access memory, and 

<*> using the modification information in the 

further memory to modify the copy of the 

control information in the r»n^ „ 
o ^ cne r andom-access memorv 

A method according to Claim 7, further 
comprising the steps:- 

(a) dividing the further memory into at least two 

SLreas / 

<*> designating one area as a trusted area for 

holdxng modification information that has been 
successfully tried, and 
(O designating the other area as a new area for 

holdxng modification information that has not 
yet been tried. 

»■ A Method ao=ordin 9 to Claim 8 wherein the step 

I""" 9 »°<»«~«°>. information comprises chectng 

««) using the modification information in the new 

area to modify the control information in the 
random-access memory, 

(b) operating the data processing system using the 

modified control information, and 

(<=) if the data processing system operates 

successfully using the modified control 
information, re-designating the new area as the 
trusted area. 

10. A method according to Claim 9 wherein, if the 

data processing system does not operate successful^ 
using the modified control information: 
(a) the control information from the read-only 
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memory is copied again into the random-access memory, and 
(b) the modification information (if any) in the 

trusted area is used to modify the control 
information in the random-access memory. 

11. A method according to any one of claims 7 to 10 
including the step of writing modification information 
into the further memory from a remote computer by way of 
a communications link. 

12. A method of operating a data processing system 
substantially as hereinbefore described with reference 
to the accompanying drawings. 



